EP1622333A1 - Method and apparatus for minimally onerous and rapid authentification - Google Patents

Method and apparatus for minimally onerous and rapid authentification Download PDF

Info

Publication number
EP1622333A1
EP1622333A1 EP04291931A EP04291931A EP1622333A1 EP 1622333 A1 EP1622333 A1 EP 1622333A1 EP 04291931 A EP04291931 A EP 04291931A EP 04291931 A EP04291931 A EP 04291931A EP 1622333 A1 EP1622333 A1 EP 1622333A1
Authority
EP
European Patent Office
Prior art keywords
node
representation
key
nonce
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP04291931A
Other languages
German (de)
French (fr)
Inventor
Gabriel Sun Microsystems France S.A. Montenegro
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sun Microsystems France SA
Original Assignee
Sun Microsystems France SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Microsystems France SA filed Critical Sun Microsystems France SA
Priority to EP04291931A priority Critical patent/EP1622333A1/en
Priority to US11/029,925 priority patent/US20060026433A1/en
Publication of EP1622333A1 publication Critical patent/EP1622333A1/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2103Challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • IPv4 Internet Protocol version 4
  • IPv6 Internet Protocol version 6
  • CBIDs are derived from cryptographic keys. More specifically, a given device in a network can be associated with a unique private-public key pair, the CBID may then be derived from the public key. The derivation of the CBID typically involves performing a secure hash on the public key associated with the device and using the result as a basis to produce a CBID. As a result, a CBID can be verifiably associated with the public key associated with the device. Because the CBID contains unique identification ( i.e ., part of the result of applying the secure hash of the public key), one may readily verify the device.
  • the CBID provides a means to verify which device one is communicating with
  • the CBID does not provide a means to authenticate the user of the device.
  • User authentication can be accomplished through the public key infrastructure.
  • the public key infrastructure is available. For example, when two users wish to communicate with each other through wireless devices, and the area they are located in does not have any wireless connectivity to the Internet, neither of the devices is capable of accessing an Internet-based public key infrastructure.
  • an alternative approach is to use existing authenticated (but not necessarily secret) human communication channels, such as visual or audio communications, to authenticate users and to bootstrap secure communications. For example, if Alice wishes to communicate with Bob through wireless devices in a public place, Alice's device needs to identify Bob's device. To achieve this, Bob can verbally communicate to Alice his device's address or identifier, which can be represented as a string of symbols, and Alice can then enter this string of symbols into her device. [denigration]
  • One method of authenticating a device and the user of the device using the aforementioned human communication channel is to convey the CBID of the device that is to be authenticated to the device performing the authentication over a communication channel.
  • the authenticating device and the device to be authenticated may independently convert the CBID of the device to be authenticated into a human readable character string (i.e., a set of words) using, for example, a one-time-password dictionary.
  • the human readable character string generated by both the authenticating device and the device to be authenticated are then compared over an existing authenticated human communication channel (e.g., speaking over the phone, speaking in person, email, etc.).
  • the human readable character string typically contains 8-10 four letter words.
  • the invention relates to a method for sending data from a second node (102) to a first node (100), comprising generating a hashed message authentication code (M) using a key and data, sending the hashed message authentication code (M) to the first node (100), generating a nonce in response to receiving the hashed message authentication code (M) by the first node (100), sending the nonce to the second node (102), sending the nonce, the key (K) and data (D) to the first node (100) in response to the second node (102) receiving the nonce, verifying the hashed message authentication code (M) by the first node (100) using the key (K) and data (D), if the hashed message authentication code (M) is verified generating a first representation on the first node (100) and a second representation on the second node (102), wherein the first representation and the second representation are associated with the key (K), and verifying that the first representation matches the second representation using an
  • the invention relates to a method for establishing a secure communications channel (108) between a first node (100) and a second node (102), comprising generating a first hashed message authentication code using a first key and a first asymmetric key, sending the first hashed message authentication code to the first node (100), generating a first nonce in response to receiving the first hashed message authentication code by the first node (100), sending the first nonce to the second node (102), sending the first nonce, the first key and the first asymmetric key to the first node (100) in response to the second node receiving the first nonce, verifying the first hashed message authentication code by the first node (100) using the first key and the first asymmetric key, if the first hashed message authentication code is verified: generating a first representation on the first node (100) and a second representation on the second node (102), wherein the first representation and the second representation are associated with the first key, verifying that the first hashed message authentication code
  • embodiments of the invention relates to verifying the first nonce sent from the second node (102) by the first node (100) to determine whether the first nonce is valid, and aborting establishing the secure communications channel (108), if the second nonce is not valid, verifying the second nonce sent from the first node (100) by the second node (102) to determine whether the first nonce is valid, and aborting establishing the secure communications channel (108), if the second nonce is not valid.
  • the first representation, the second representation, the third representation, and the fourth representation are generated using a one-time-password dictionary.
  • the first representation, the second representation, the representation, and the fourth representation correspond to fractal images.
  • the first representation, the second representation, the third representation, and the fourth representation correspond to audio files.
  • the invention relates to a system, comprising a first node (100) and a second node (102), wherein the first node (100) is operatively connected to the second node (102) via a communication channel (108), and wherein the first node (100) is operatively connected to the second node (102) using an authentic channel (110), and wherein the first node (100) is configured to generate a hashed message authentication code using a key (K) and data (D), send the hashed message authentication code to the first node (100), generate a nonce in response to receiving the hashed message authentication code by the first node (100), send the nonce to the second node (102), send the nonce, the key (K), and data (D) to the first node (100) in response to the second node (102) receiving the nonce, verify the hashed message authentication code by the first node (100) using the key (K), and data (D), if the hashed message authentication code is verified:
  • FIG. 1 shows a system in accordance with one embodiment of the invention.
  • FIG. 2 shows a flow diagram in accordance with one embodiment of the invention.
  • embodiments of the invention relate to a method and apparatus for transferring data between nodes in a network using a communication channel and a separate authentic channel.
  • Embodiments of the invention provide a method and apparatus to transfer data in a manner that ensures authenticity (i.e., the source of the data is authenticated) and integrity of the data (i.e., the data that is received is identical to the data sent). More specifically, embodiments of the invention provide a method and apparatus to transfer data in the form of a Hashed Message Authentication Code (HMAC) (i.e., a message authentication code generated using a keyed-hashing mechanism) and then subsequently authenticating the key used to generate the HMAC using a separate authentic channel.
  • HMAC Hashed Message Authentication Code
  • embodiments of the invention provide a method and apparatus for authenticating the key used to generate the HMAC using human readable representation, such as, a set of words, sounds, images ( e.g ., fractal images), etc. Further, embodiments of the invention provide a method for transferring data, such as public keys, etc. that may be used to establish a secure communications channel.
  • Figure 1 shows a system in accordance with one embodiment of the invention.
  • the system includes two nodes (i.e., Node A (100) and Node B (102)).
  • the nodes i.e., Node A (100) and Node B (102)
  • the communication channel (108) may correspond to any method of transferring data between the nodes (i.e., Node A (100) and Node B (102)), such as a local area network (wired, wireless, or a combination of both), a wide area network (wired, wireless, or a combination of both), a Bluetooth network, a global system for mobile communication (GSM) network, etc.
  • GSM global system for mobile communication
  • each node may include a control module (114) that is typically configured to control the overall operation of the node. Further, the control module (114) may be configured to manage other components within the node (100).
  • Node A (100) includes the following components: a HMAC generator (120), a key generator (122), a memory (118), a representation module (124), a timing module (116), and a communications interface (112). Each of the components is described below in detail.
  • the key generator (122) is configured to generate a key, for example, using a random number generator, etc.
  • the HMAC generator (120) in one embodiment of the invention, is configured to obtain data, to be sent, from the memory (118), and the key from the key generator (122) and generate a HMAC of the data using the key.
  • the HMAC generator (120) uses a cryptographic hash function such as Secure Hash Algorithm-1 (SHA-1) or Message Digest 5 (MD 5) to generate the HMAC.
  • SHA-1 Secure Hash Algorithm-1
  • MD5 Message Digest 5
  • An implementation of a mechanism for HMAC is outlined in RFC 2104 (http://rfc.net/rfc2104.html)
  • the representation module (124) includes functionality to convert the key (either generated by the key generator (122) of the node or received from another node) into a human identifiable form (i.e., a form that can be easily identified by humans such as a set of words, an image, an audio file, etc.).
  • the representation module (124) is configured to convert the key into a set of words using a one-time-password dictionary, such as the one described in RFC 1938 (http://rfc.net/rfc1938.html).
  • the timing module (116) is configured to generate a nonce, and verify the validity of the nonce.
  • the nonce refers to a mechanism that is included/embedded in a message, such as a time stamp or any other marker.
  • the nonce is used to limit the validity of the message to a certain period of time by providing information to the node (or any inquiring process) that indicates when the message was sent.
  • the operation of the nonce with respect to the invention is described below.
  • the node includes a communications interface (112) that is configured to send and receive data (e.g ., data to send to the other node, HMAC of the data being sent, keys, nonce, etc.) to/from other devices (e.g., nodes).
  • User A (104) is using Node A (100) and User B (106) is using Node B (102).
  • User A (104) and User B (106) may communicate via an authentic channel (110).
  • the authentic channel (110) may be, for example, speaking over the phone, speaking in person, email, meeting in person and comparing the representations, etc.
  • the authentic channel (110) is not required to be confidential only authentic ( i.e ., need to know who you are communicating with).
  • Figure 2 shows a flow diagram of the method in accordance with one embodiment of the invention.
  • the initiation of data communication may be performed in a number of different ways.
  • the manner used to initiate the transfer of data may depend on the type of data.
  • Node A (100) and Node B (102) want to establish a secure communication channel, using, for example, a public-key infrastructure, then Node A (100) may initiate communication by sending out a broadcast request for Node B's (102) public key (or any other data (D)) that is required to establish a secure communication channel between Node A (100) and Node B (102)) (ST100).
  • Node A (100) may initiate communication by sending out a broadcast request for Node B's (102) public key (or any other data (D)) that is required to establish a secure communication channel between Node A (100) and Node B (102)) (ST100).
  • Node B (102) only wants to send data (D) to Node A (100) and does not necessarily want to establish a secure communications channel
  • Node B (102) would initiate the communication of data (D) starting at ST102.
  • the node sending the data i.e., Node B (102) in Figure 2
  • the node sending the data i.e., Node B (102) in Figure 2
  • K the key (K) (ST102).
  • the length of the key (K) depends on the implementation. However, those skilled in the art will appreciate that the length of the key (K) should be such that the key cannot be guessed in the time it takes to send the nonce (ST110) and receive the nonce (ST112) (both steps are described below).
  • the key (K) may be, for example, between 44-55 bytes.
  • the key (K) is used as an input into the HMAC function, along with the data (D) to be transferred, to generate a message (M) (ST104).
  • the message (M) is subsequently sent to Node A (100) (ST106).
  • Node A (100) upon receiving the message (M), stores the message (M), and then generates a nonce (ST108).
  • the nonce is subsequently communicated to Node B (102).
  • Node B (102) in response to receiving the nonce from Node A (100), sends the key (K), the data (D), and the nonce, to Node A (100) (ST112).
  • Node A (100) upon receiving the key (K), the data (D), and the nonce, checks the nonce to determine whether the nonce is valid (ST114).
  • the nonce is used as a mechanism to circumvent man-in-the-middle attacks, by setting a time limit in which Node B (102) has to respond to Node A (100) once Node A (100) sends the nonce to Node B (102).
  • Node A (100) does not receive a message containing the nonce, the key (K), and the data (D), within a certain time period (as tracked by the nonce and verified by Node A (100)), the transfer of data (D) is terminated.
  • Node A (100) proceeds to verify the message (M).
  • Node A (100) verifies the message (M) sent by Node B (102) (ST116) by independently calculating the message (M') using the key (K) and the data (D) received in ST112, then comparing the calculated message (M') with the message (M). If the calculated message (M') matches the message (M) received in ST106, then the message (M) is verified. At this stage, the integrity of data (D) has been verified but the authenticity has not been established.
  • Node A (100) After Node A (100) has verified the integrity of the data (D), Node A (100) generates a representation of the key (K) that it received from Node B (102) in ST112 (ST118). As described above, the representation may be in any human identifiable form, such as, a set of words, an image or set of images, an audio file or set of audio files, etc.
  • Node B (102) also independently generates a representation (in the same form as Node A (100)) of the key (K) that it used to generate the message (M) (ST120).
  • Node B (102) may generate a representation of the key (K) at any time after the key (K) is generated.
  • Node A (100) may generate a representation of the key (K) anytime after the key (K) is received from Node B (102).
  • nodes via the users of the nodes compare the representations of the key using an authentic channel (110) (ST122). If the representations of the key (K) match, then Node A (100) is said to have authenticated that the message (M) (and hence the data (D)) was in fact sent from Node B (102). At this stage, the communication of data (D) between Node A (100) and Node B (102) is complete.
  • the data (D) may be used to establish a secure communications channel.
  • the aforementioned method of communication data (D) may be used to bootstrap secure communication between the nodes. For example, the aforementioned method could be applied twice, once to communicate Node A's (100) public key to Node B (102), and once to communicate Node B's (102) public key to Node A (100). Once the public keys have been exchanged, the nodes may establish a secure communications channel using the authentic public-keys.
  • the length of the key (K) and the use of the nonce, in the aforementioned invention may be used to effectively circumvent man-in-the-middle attacks.
  • the length of the (K) must be chosen such that if a third party intercepts (or otherwise obtains) the message (M) sent in ST106, the third party will not be able to determine (for example, using a brute-force attack) the key (K) prior to Node B (102) sending the key (K) in ST112.
  • the third party While the length of the key (K) is an important factor in circumventing man-in-the-middle attacks, if the third party is capable of controlling the packet flow between Node A (100) and Node B (102), then the third party may still obtain the key (K) by delaying communication between the nodes, thereby giving the third party additional time to determine the key (K).
  • the nonce is used as a means to terminate the communication between the nodes if the communication time reaches a dangerous time limit (i.e., a time when a man-in-the-middle attack may be successful based on the length of the key (K) and the third party's processing speed).

Abstract

A method for sending data from a second node (102) to a first node (100), including generating a hashed message authentication code (M) using a key and data, sending the hashed message authentication code (M) to the first node (100), generating a nonce in response to receiving the hashed message authentication code (M) by the first node (100), sending the nonce to the second node (102), sending the nonce, the key (K) and data (D) to the first node in response to the second node (102) receiving the nonce, verifying the hashed message authentication code (M) by the first node (100) using the key (K) and data (D), if the hashed message authentication code (M) is verified: generating a first representation on the first node (100) and a second representation on the second node (102), wherein the first representation and the second representation are associated with the key (K), and verifying that the first representation matches the second representation using an authentic channel (110).

Description

    Background
  • Dramatic advances in computer technology presently make it possible to integrate a significant amount of computing power into small portable computing devices, such as cell phones and personal digital assistants (PDAs). This has led to a proliferation of networked devices over the past few years. Due to a large increase in the number of networked devices, the Internet Protocol version 4 (IPv4) address space, which is based on a 32-bit long address format, will soon run out of usable addresses. To solve this problem, Internet Protocol version 6 (IPv6) was proposed. IPv6 defines a 128-bit long address format, which is believed to provide a sufficient number of addresses to accommodate all networked devices.
  • As larger numbers of devices are able to communicate with each other across the Internet and other ad hoc networks, a number of security threats can arise. One issue is the address ownership problem: how does one prove that a device legally owns an address (i.e., that the device is not stealing an address belonging to another device)?
  • A recently proposed Crypto-Based Identifier (CBID) scheme can be used to remedy this problem. CBIDs are derived from cryptographic keys. More specifically, a given device in a network can be associated with a unique private-public key pair, the CBID may then be derived from the public key. The derivation of the CBID typically involves performing a secure hash on the public key associated with the device and using the result as a basis to produce a CBID. As a result, a CBID can be verifiably associated with the public key associated with the device. Because the CBID contains unique identification (i.e., part of the result of applying the secure hash of the public key), one may readily verify the device.
  • While the CBID provides a means to verify which device one is communicating with, the CBID does not provide a means to authenticate the user of the device. Thus, how does a user ensure that who she is communicating with? User authentication can be accomplished through the public key infrastructure. However, one cannot always assume that the public key infrastructure is available. For example, when two users wish to communicate with each other through wireless devices, and the area they are located in does not have any wireless connectivity to the Internet, neither of the devices is capable of accessing an Internet-based public key infrastructure.
  • In the absence of a public key infrastructure, an alternative approach is to use existing authenticated (but not necessarily secret) human communication channels, such as visual or audio communications, to authenticate users and to bootstrap secure communications. For example, if Alice wishes to communicate with Bob through wireless devices in a public place, Alice's device needs to identify Bob's device. To achieve this, Bob can verbally communicate to Alice his device's address or identifier, which can be represented as a string of symbols, and Alice can then enter this string of symbols into her device. [denigration]
  • One method of authenticating a device and the user of the device using the aforementioned human communication channel is to convey the CBID of the device that is to be authenticated to the device performing the authentication over a communication channel. The authenticating device and the device to be authenticated may independently convert the CBID of the device to be authenticated into a human readable character string (i.e., a set of words) using, for example, a one-time-password dictionary. The human readable character string generated by both the authenticating device and the device to be authenticated are then compared over an existing authenticated human communication channel (e.g., speaking over the phone, speaking in person, email, etc.). The human readable character string typically contains 8-10 four letter words.
    • Summary
  • In general, in one aspect, the invention relates to a method for sending data from a second node (102) to a first node (100), comprising generating a hashed message authentication code (M) using a key and data, sending the hashed message authentication code (M) to the first node (100), generating a nonce in response to receiving the hashed message authentication code (M) by the first node (100), sending the nonce to the second node (102), sending the nonce, the key (K) and data (D) to the first node (100) in response to the second node (102) receiving the nonce, verifying the hashed message authentication code (M) by the first node (100) using the key (K) and data (D), if the hashed message authentication code (M) is verified generating a first representation on the first node (100) and a second representation on the second node (102), wherein the first representation and the second representation are associated with the key (K), and verifying that the first representation matches the second representation using an authentic channel (110).
  • In general, in one aspect, the invention relates to a method for establishing a secure communications channel (108) between a first node (100) and a second node (102), comprising generating a first hashed message authentication code using a first key and a first asymmetric key, sending the first hashed message authentication code to the first node (100), generating a first nonce in response to receiving the first hashed message authentication code by the first node (100), sending the first nonce to the second node (102), sending the first nonce, the first key and the first asymmetric key to the first node (100) in response to the second node receiving the first nonce, verifying the first hashed message authentication code by the first node (100) using the first key and the first asymmetric key, if the first hashed message authentication code is verified: generating a first representation on the first node (100) and a second representation on the second node (102), wherein the first representation and the second representation are associated with the first key, verifying that the first representation matches the second representation using an authentic channel (110), generating a second hashed message authentication code using a second key and a second asymmetric key, sending the second hashed message authentication code to the second node (102), generating a second nonce (102) in response to receiving the second hashed message authentication code by the second node (102), sending the second nonce to the first node (100), sending the second nonce (102), the second key and the second asymmetric key to the second node (102) in response to the first node (100) receiving the second nonce, verifying the second hashed message authentication code by the first node (100) using the second key and the second asymmetric key, if the second hashed message authentication code is verified: generating a third representation on the first node (100) and a fourth representation on the second node (102), wherein the third representation and the fourth representation are associated with the second key, verifying that the third representation matches the fourth representation using the authentic channel (110), and establishing a secure communications channel (108) using the first asymmetric key and the second asymmetric key.
  • Further, embodiments of the invention relates to verifying the first nonce sent from the second node (102) by the first node (100) to determine whether the first nonce is valid, and aborting establishing the secure communications channel (108), if the second nonce is not valid, verifying the second nonce sent from the first node (100) by the second node (102) to determine whether the first nonce is valid, and aborting establishing the secure communications channel (108), if the second nonce is not valid.
  • In addition, in certain aspects of the invention, the first representation, the second representation, the third representation, and the fourth representation are generated using a one-time-password dictionary. In addition, in certain aspects of the invention, the first representation, the second representation, the representation, and the fourth representation correspond to fractal images. In addition, in certain aspects of the invention, the first representation, the second representation, the third representation, and the fourth representation correspond to audio files.
  • In general, in one aspect, the invention relates to a system, comprising a first node (100) and a second node (102), wherein the first node (100) is operatively connected to the second node (102) via a communication channel (108), and wherein the first node (100) is operatively connected to the second node (102) using an authentic channel (110), and wherein the first node (100) is configured to generate a hashed message authentication code using a key (K) and data (D), send the hashed message authentication code to the first node (100), generate a nonce in response to receiving the hashed message authentication code by the first node (100), send the nonce to the second node (102), send the nonce, the key (K), and data (D) to the first node (100) in response to the second node (102) receiving the nonce, verify the hashed message authentication code by the first node (100) using the key (K), and data (D), if the hashed message authentication code is verified: generate a first representation on the first node (100) and a second representation on the second node (102), wherein the first representation and the second representation are associated with the key (K), and verify that the first representation matches the second representation using an authentic channel (110).
  • Other aspects of the invention will be apparent from the following description and the appended claims.
    • Brief Description of Drawings
  • Figure 1 shows a system in accordance with one embodiment of the invention.
  • Figure 2 shows a flow diagram in accordance with one embodiment of the invention.
    • Detailed Description
  • Exemplary embodiments of the invention will be described with reference to the accompanying drawings. Like items in the drawings are shown with the same reference numbers.
  • In an embodiment of the invention, numerous specific details are set forth in order to provide a more thorough understanding of the invention. However, it will be apparent to one of ordinary skill in the art that the invention may be practiced without these specific details. In other instances, well-known features have not been described in detail to avoid obscuring the invention.
  • In general, embodiments of the invention relate to a method and apparatus for transferring data between nodes in a network using a communication channel and a separate authentic channel. Embodiments of the invention provide a method and apparatus to transfer data in a manner that ensures authenticity (i.e., the source of the data is authenticated) and integrity of the data (i.e., the data that is received is identical to the data sent). More specifically, embodiments of the invention provide a method and apparatus to transfer data in the form of a Hashed Message Authentication Code (HMAC) (i.e., a message authentication code generated using a keyed-hashing mechanism) and then subsequently authenticating the key used to generate the HMAC using a separate authentic channel. Further, embodiments of the invention provide a method and apparatus for authenticating the key used to generate the HMAC using human readable representation, such as, a set of words, sounds, images (e.g., fractal images), etc. Further, embodiments of the invention provide a method for transferring data, such as public keys, etc. that may be used to establish a secure communications channel.
  • Figure 1 shows a system in accordance with one embodiment of the invention. In the particular embodiment shown in Figure 1, the system includes two nodes (i.e., Node A (100) and Node B (102)). The nodes (i.e., Node A (100) and Node B (102)) typically communicate and transfer data via a communication channel (108). The communication channel (108) may correspond to any method of transferring data between the nodes (i.e., Node A (100) and Node B (102)), such as a local area network (wired, wireless, or a combination of both), a wide area network (wired, wireless, or a combination of both), a Bluetooth network, a global system for mobile communication (GSM) network, etc.
  • As shown in the expanded view (100A) of Node A (100), each node may include a control module (114) that is typically configured to control the overall operation of the node. Further, the control module (114) may be configured to manage other components within the node (100). In the embodiment shown in Figure 1, Node A (100) includes the following components: a HMAC generator (120), a key generator (122), a memory (118), a representation module (124), a timing module (116), and a communications interface (112). Each of the components is described below in detail. The key generator (122) is configured to generate a key, for example, using a random number generator, etc. The HMAC generator (120), in one embodiment of the invention, is configured to obtain data, to be sent, from the memory (118), and the key from the key generator (122) and generate a HMAC of the data using the key.
  • In one embodiment of the invention, the HMAC generator (120) uses a cryptographic hash function such as Secure Hash Algorithm-1 (SHA-1) or Message Digest 5 (MD 5) to generate the HMAC. An implementation of a mechanism for HMAC is outlined in RFC 2104 (http://rfc.net/rfc2104.html) Those skilled in the art will appreciate that while the aforementioned description of the invention uses a HMAC mechanism, any mechanism that provides the same (or similar) characteristics as the HMAC mechanism may be used and is within the scope of the invention.
  • Continuing with the discussion of Figure 1, in one embodiment of the invention, the representation module (124) includes functionality to convert the key (either generated by the key generator (122) of the node or received from another node) into a human identifiable form (i.e., a form that can be easily identified by humans such as a set of words, an image, an audio file, etc.). In one embodiment of the invention, the representation module (124) is configured to convert the key into a set of words using a one-time-password dictionary, such as the one described in RFC 1938 (http://rfc.net/rfc1938.html). In one embodiment of the invention, the timing module (116) is configured to generate a nonce, and verify the validity of the nonce. In one embodiment of the invention, the nonce refers to a mechanism that is included/embedded in a message, such as a time stamp or any other marker. The nonce is used to limit the validity of the message to a certain period of time by providing information to the node (or any inquiring process) that indicates when the message was sent. The operation of the nonce with respect to the invention is described below. Finally, the node includes a communications interface (112) that is configured to send and receive data (e.g., data to send to the other node, HMAC of the data being sent, keys, nonce, etc.) to/from other devices (e.g., nodes).
  • Further, as shown in Figure 1, User A (104) is using Node A (100) and User B (106) is using Node B (102). In addition, User A (104) and User B (106) may communicate via an authentic channel (110). The authentic channel (110) may be, for example, speaking over the phone, speaking in person, email, meeting in person and comparing the representations, etc. The authentic channel (110) is not required to be confidential only authentic (i.e., need to know who you are communicating with).
  • Using the nodes shown in Figure 1 (or nodes with similar functionality), the following method may be used to communicate data in a manner that maintains authenticity and integrity of the data. Figure 2 shows a flow diagram of the method in accordance with one embodiment of the invention. The initiation of data communication may be performed in a number of different ways. The manner used to initiate the transfer of data may depend on the type of data. For example, if Node A (100) and Node B (102) want to establish a secure communication channel, using, for example, a public-key infrastructure, then Node A (100) may initiate communication by sending out a broadcast request for Node B's (102) public key (or any other data (D)) that is required to establish a secure communication channel between Node A (100) and Node B (102)) (ST100).
  • Alternatively, if Node B (102) only wants to send data (D) to Node A (100) and does not necessarily want to establish a secure communications channel, then Node B (102) would initiate the communication of data (D) starting at ST102. Regardless of which node initiates the communication of data (D), once the communication of data (D) has been initiated, the node sending the data (i.e., Node B (102) in Figure 2) generates a key (K) (ST102). The length of the key (K) depends on the implementation. However, those skilled in the art will appreciate that the length of the key (K) should be such that the key cannot be guessed in the time it takes to send the nonce (ST110) and receive the nonce (ST112) (both steps are described below). Thus, depending on the state of the technology, etc., the key (K) may be, for example, between 44-55 bytes.
  • Once the key has been generated, the key (K) is used as an input into the HMAC function, along with the data (D) to be transferred, to generate a message (M) (ST104). The message (M) is subsequently sent to Node A (100) (ST106). Node A (100) upon receiving the message (M), stores the message (M), and then generates a nonce (ST108). The nonce is subsequently communicated to Node B (102). Node B (102), in response to receiving the nonce from Node A (100), sends the key (K), the data (D), and the nonce, to Node A (100) (ST112).
  • Node A (100) upon receiving the key (K), the data (D), and the nonce, checks the nonce to determine whether the nonce is valid (ST114). In particular, the nonce is used as a mechanism to circumvent man-in-the-middle attacks, by setting a time limit in which Node B (102) has to respond to Node A (100) once Node A (100) sends the nonce to Node B (102). Thus, if Node A (100) does not receive a message containing the nonce, the key (K), and the data (D), within a certain time period (as tracked by the nonce and verified by Node A (100)), the transfer of data (D) is terminated.
  • Once Node A (100) has checked that the nonce is valid (i.e., that Node B (102) responded within the allowed time period), then Node A (100) proceeds to verify the message (M). Node A (100) verifies the message (M) sent by Node B (102) (ST116) by independently calculating the message (M') using the key (K) and the data (D) received in ST112, then comparing the calculated message (M') with the message (M). If the calculated message (M') matches the message (M) received in ST106, then the message (M) is verified. At this stage, the integrity of data (D) has been verified but the authenticity has not been established.
  • After Node A (100) has verified the integrity of the data (D), Node A (100) generates a representation of the key (K) that it received from Node B (102) in ST112 (ST118). As described above, the representation may be in any human identifiable form, such as, a set of words, an image or set of images, an audio file or set of audio files, etc. Node B (102) also independently generates a representation (in the same form as Node A (100)) of the key (K) that it used to generate the message (M) (ST120). Those skilled in the art will appreciate that Node B (102) may generate a representation of the key (K) at any time after the key (K) is generated. Similarly, Node A (100) may generate a representation of the key (K) anytime after the key (K) is received from Node B (102).
  • Once each node has generated a representation of the key (K), nodes (via the users of the nodes) compare the representations of the key using an authentic channel (110) (ST122). If the representations of the key (K) match, then Node A (100) is said to have authenticated that the message (M) (and hence the data (D)) was in fact sent from Node B (102). At this stage, the communication of data (D) between Node A (100) and Node B (102) is complete.
  • However, as noted above, depending on the data (D) communicated between the nodes, the data (D) may be used to establish a secure communications channel. Thus, the aforementioned method of communication data (D) may be used to bootstrap secure communication between the nodes. For example, the aforementioned method could be applied twice, once to communicate Node A's (100) public key to Node B (102), and once to communicate Node B's (102) public key to Node A (100). Once the public keys have been exchanged, the nodes may establish a secure communications channel using the authentic public-keys.
  • Those skilled in the art will appreciate that the length of the key (K) and the use of the nonce, in the aforementioned invention, may be used to effectively circumvent man-in-the-middle attacks. In particular, the length of the (K) must be chosen such that if a third party intercepts (or otherwise obtains) the message (M) sent in ST106, the third party will not be able to determine (for example, using a brute-force attack) the key (K) prior to Node B (102) sending the key (K) in ST112. While the length of the key (K) is an important factor in circumventing man-in-the-middle attacks, if the third party is capable of controlling the packet flow between Node A (100) and Node B (102), then the third party may still obtain the key (K) by delaying communication between the nodes, thereby giving the third party additional time to determine the key (K). To circumvent this method of attack, the nonce is used as a means to terminate the communication between the nodes if the communication time reaches a dangerous time limit (i.e., a time when a man-in-the-middle attack may be successful based on the length of the key (K) and the third party's processing speed).
  • While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this disclosure, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as disclosed herein. Accordingly, the scope of the invention should be limited only by the attached claims.

Claims (14)

  1. A method for sending data from a second node (102) to a first node (100), comprising:
    generating a hashed message authentication code (M) using a key and data;
    sending the hashed message authentication code (M) to the first node (100);
    generating a nonce in response to receiving the hashed message authentication code (M) by the first node (100);
    sending the nonce to the second node (102);
    sending the nonce, the key (K) and data (D) to the first node (100) in response to the second node (102) receiving the nonce;
    verifying the hashed message authentication code (M) by the first node (100) using the key (K) and data (D);
    if the hashed message authentication code (M) is verified:
    generating a first representation on the first node (100) and a second representation on the second node (102), wherein the first representation and the second representation are associated with the key (K); and
    verifying that the first representation matches the second representation using an authentic channel (110).
  2. The method of claim 1, further comprising:
    verifying the nonce sent from the second node (102) by the first node (100) to determine whether the nonce is valid; and
    aborting the sending of the second node (102) by the first node (100), if the nonce is not valid.
  3. The method of claim 1, further comprising:
    generating the hashed message authentication code (M) in response to the first node (100) requesting data (D).
  4. The method of claim 1, wherein the first node (100) requests data (D) using at least one selected from the group consisting of a broadcast message and a multicast message.
  5. The method of claim 1, wherein data (D) comprises an asymmetric key.
  6. The method of claim 5, wherein the asymmetric key is used to bootstrap a secure communications channel between the first node (100) and the second node (102).
  7. The method of claim 1, wherein the first representation and the second representation are generated using a one-time-password dictionary.
  8. The method of claim 1, wherein the first representation and the second representation correspond to fractal images.
  9. The method of claim 1, wherein the first representation and the second representation correspond to audio files.
  10. The method of claim 1, wherein the authentic channel is a low bandwidth channel.
  11. A system, comprising:
    a first node (100) and a second node (102),
    wherein the first node (100) is operatively connected to the second node (102) via a communication channel (108), and
    wherein the first node (100) is operatively connected to the second node (102) using an authentic channel (110), and wherein the first node (100) is configured to:
    generate a hashed message authentication code using a key (K) and data (D);
    send the hashed message authentication code to the first node (100);
    generate a nonce in response to receiving the hashed message authentication code by the first node (100);
    send the nonce to the second node (102);
    send the nonce, the key (K), and data (D) to the first node (100) in response to the second node (102) receiving the nonce;
    verify the hashed message authentication code by the first node (100) using the key (K), and data (D);
    if the hashed message authentication code is verified:
    generate a first representation on the first node (100) and a second representation on the second node (102), wherein the first representation and the second representation are associated with the key (K); and
    verify that the first representation matches the second representation using an authentic channel (110).
  12. The system of claim 10, wherein data comprises an asymmetric key.
  13. The system of claim 11, wherein the asymmetric key is used to bootstrap a secure communications channel (108) between the first node (100) and the second node (102).
  14. The system of claim 10, wherein the first representation and the second representation are generated using a one-time-password dictionary.
EP04291931A 2004-07-29 2004-07-29 Method and apparatus for minimally onerous and rapid authentification Withdrawn EP1622333A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP04291931A EP1622333A1 (en) 2004-07-29 2004-07-29 Method and apparatus for minimally onerous and rapid authentification
US11/029,925 US20060026433A1 (en) 2004-07-29 2005-01-05 Method and apparatus for minimally onerous and rapid cocktail effect authentication (MORCEAU)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP04291931A EP1622333A1 (en) 2004-07-29 2004-07-29 Method and apparatus for minimally onerous and rapid authentification

Publications (1)

Publication Number Publication Date
EP1622333A1 true EP1622333A1 (en) 2006-02-01

Family

ID=34931301

Family Applications (1)

Application Number Title Priority Date Filing Date
EP04291931A Withdrawn EP1622333A1 (en) 2004-07-29 2004-07-29 Method and apparatus for minimally onerous and rapid authentification

Country Status (2)

Country Link
US (1) US20060026433A1 (en)
EP (1) EP1622333A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8078867B2 (en) * 2005-08-12 2011-12-13 Research In Motion Limited System and method for authenticating streamed data
IL173706A (en) * 2006-02-13 2013-09-30 Bromine Compounds Ltd Antimony- based corrosion inhibitors for high density brine and a method for inhibiting corrosion by using them
US8356178B2 (en) * 2006-11-13 2013-01-15 Seagate Technology Llc Method and apparatus for authenticated data storage
US7266693B1 (en) * 2007-02-13 2007-09-04 U.S. Bancorp Licensing, Inc. Validated mutual authentication
US8539233B2 (en) * 2007-05-24 2013-09-17 Microsoft Corporation Binding content licenses to portable storage devices
KR101706117B1 (en) * 2010-01-15 2017-02-14 삼성전자주식회사 Apparatus and method for other portable terminal authentication in portable terminal
US8839357B2 (en) * 2010-12-22 2014-09-16 Canon U.S.A., Inc. Method, system, and computer-readable storage medium for authenticating a computing device
US10574940B2 (en) * 2017-10-31 2020-02-25 International Business Machines Corporation Traffic stop communications system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030041244A1 (en) * 2000-04-28 2003-02-27 Levente Buttyan Method for securing communications between a terminal and an additional user equipment
US20040025017A1 (en) * 2002-07-31 2004-02-05 Ellison Carl M. Sensory verification of shared data

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI106605B (en) * 1997-04-16 2001-02-28 Nokia Networks Oy authentication method
US6453416B1 (en) * 1997-12-19 2002-09-17 Koninklijke Philips Electronics N.V. Secure proxy signing device and method of use
DE69941335D1 (en) * 1999-12-02 2009-10-08 Sony Deutschland Gmbh message authentication
US6996715B2 (en) * 2002-01-03 2006-02-07 Lockheed Martin Corporation Method for identification of a user's unique identifier without storing the identifier at the identification site
US7284127B2 (en) * 2002-10-24 2007-10-16 Telefonktiebolaget Lm Ericsson (Publ) Secure communications
US20040092310A1 (en) * 2002-11-07 2004-05-13 Igt Identifying message senders
US7607009B2 (en) * 2003-02-10 2009-10-20 International Business Machines Corporation Method for distributing and authenticating public keys using time ordered exchanges
GB2404535B (en) * 2003-07-29 2006-07-19 Ncipher Corp Ltd Secure transmission of data within a distributed computer system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030041244A1 (en) * 2000-04-28 2003-02-27 Levente Buttyan Method for securing communications between a terminal and an additional user equipment
US20040025017A1 (en) * 2002-07-31 2004-02-05 Ellison Carl M. Sensory verification of shared data

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
BALFANZ D ET AL: "Talking to strangers: authentication in ad-hoc wireless networks", NINTH ANNUAL SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY INTERNET SOC RESTON, VA, USA, 6 February 2002 (2002-02-06), pages 13 pp., XP002312506 *
BELLARE M: "MESSAGE AUTHENTICATION USING HASH FUNCTIONS - THE HMAC CONSTRUCTION", CRYPTOBYTES MAGAZINE, XX, XX, vol. 2, no. 1, 1996, pages 1 - 5, XP002184520 *

Also Published As

Publication number Publication date
US20060026433A1 (en) 2006-02-02

Similar Documents

Publication Publication Date Title
US8418235B2 (en) Client credential based secure session authentication method and apparatus
Xue et al. A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture
CN106164922B (en) Self-organizing one-time pairing of remote devices using online audio fingerprinting
EP1536609B1 (en) Systems and methods for authenticating communications in a network
AU2007231614B2 (en) Client credential based secure session authentication method and apparatus
KR100990320B1 (en) Method and system for providing client privacy when requesting content from a public server
JP3552648B2 (en) Data transmission / reception system for ad hoc wireless communication and data transmission / reception method for ad hoc wireless communication
EP2289220B1 (en) Network helper for authentication between a token and verifiers
US8156337B2 (en) Systems and methods for authenticating communications in a network medium
EP2491672B1 (en) Low-latency peer session establishment
US7281128B2 (en) One pass security
EP1478156A2 (en) Method of distributing encryption keys among nodes in mobile ad hoc network and network device using the same
US20060005033A1 (en) System and method for secure communications between at least one user device and a network entity
JP2020080530A (en) Data processing method, device, terminal, and access point computer
KR20030075224A (en) Method of access control in wireless environment and recording medium in which the method is recorded
JP2005269656A (en) Efficient and secure authentication of computing system
CN101960814A (en) IP address delegation
CN111654481B (en) Identity authentication method, identity authentication device and storage medium
EP1622333A1 (en) Method and apparatus for minimally onerous and rapid authentification
JP2003338814A (en) Communication system, administrative server, control method therefor and program
KR100901279B1 (en) Wire/Wireless Network Access Authentication Method using Challenge Message based on CHAP and System thereof
US7434051B1 (en) Method and apparatus for facilitating secure cocktail effect authentication
Chen et al. SSL/TLS session-aware user authentication using a gaa bootstrapped key
Lee Bluetooth security protocol analysis and improvements
JP2001103049A (en) Method of user authentication

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL HR LT LV MK

AKX Designation fees paid
REG Reference to a national code

Ref country code: DE

Ref legal event code: 8566

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20060802